July 5th Cisco backs down, cites "mistake"

As reported on AllThingsD: Cisco Backpedals From Creepy Privacy Position on Linksys Upgrade

"Creepy, right? While most people tended to ignore the TOS statements, some smarter people chose to read them, and quickly generated some consumer outrage and negative media coverage. This prompted Cisco to revise the language. (Latest version here.) It also issued instructions for how to roll the router back to its previous state, and to disable the automated updates."

"Cisco has since called the whole kerfuffle 'a mistake.'”

"You’d think Cisco would have thought this sort of thing through a little better. But then, it has a long history of misfires and mysterious arbitrary decisions where its consumer products are concerned."

July 3, 2012 PEOPLE ARE CATCHING ON TO CISCO’S PERFIDY AND THEY ARE NOT PLEASED …

Cisco locks customers out of their own routers, only lets them back in if they agree to being spied upon and monetized

By Cory Doctorow at 1:36 pm Tuesday, Jul 3

“Owners of Cisco/Linksys home routers got a nasty shock this week, when their devices automatically downloaded a new operating system, which locked out device owners. After the update, the only way to reconfigure your router was to create an account on Cisco's "cloud" service, signing up to a service agreement that gives Cisco the right to spy on your Internet use and sell its findings, and also gives them the right to disconnect you (and lock you out of your router) whenever they feel like it.”

And it appears that they plan to police your files for dreaded downloads that displease the Hollywood content overlords …

“Joel Hruska from ExtremeTech reports:

This is nothing but a shameless attempt to cash in on the popularity of cloud computing, and it comes at a price. The Terms and Conditions of using the Cisco Connect Cloud state that Cisco may unilaterally shut down your account if finds that you have used the service for “obscene, pornographic, or offensive purposes, to infringe another’s rights, including but not limited to any intellectual property rights, or… to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability.”

Original Blog Entry …

Once again, it appears that an electronic device manufacturer is going to sell you a product and then – as a condition of use – spy on your activity; ostensibly to improve  your experience with the product.

The blogosphere is pulsating with the news about Cisco/Linksys routers that may no longer be configured locally and must be configured through the use of their “Cisco Connect Cloud” service. Or certain routers which have been automatically upgraded to mandate the use of that particular service without the hardware owner’s  permission.

“Myrv writes "Reports have started popping up that Cisco is pushing out and automatically (without permission) installing their new Cloud Connect firmware on consumer routers. The new firmware removes the user's ability to login and administer the router locally. You now must configure the router using Cisco's Cloud connect service. If that wasn't bad enough, the fine print for this new service allows Cisco to track your complete internet history. Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet."

Check out some of the above links for discussions on intrusive behavior and suggestions for work-arounds.

About Cisco Cloud Connect …

“Cisco Connect Cloud!”

“Now available for Linksys Smart Wi-Fi Routers, Cisco Connect Cloud gives you anytime, anywhere access to your home network.”

“This revolutionary new technology delivers a host of free apps for your router, and that's only the beginning. As new devices and ways of interacting with your home emerge, Cisco Connect Cloud will keep expanding with new apps to enrich your connected lifestyle.”

and their broadly-construed privacy agreement …

“Cisco Connect Cloud Supplement”

“Note that this page is a supplement to the Cisco Privacy Statement. In order to understand the data collection and use practices relevant for a particular site or solution, you should read both the Cisco Privacy Statement and any applicable supplement.”

“The following describes our practices with respect to the Cisco Connect Cloud service, which includes any Cisco-authored apps that are part of this service (the "Service").”

Collection and Use of Information

“As part of the Service registration process, you can also opt in to having your router product registration information sent to Cisco's product registration database. This helps streamline the registration process for your router in the event you need to contact us for support, and saves you the extra step of having to register your router separately.”

“When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); Internet history; how frequently you encounter errors on the Service system and other related information“

“We use this Other Information to help us quickly and efficiently respond to inquiries and requests, and to enhance or administer our overall Service for our customers. We may also use this Other Information for traffic analysis (for example, determining when the most customers are using the Service) and to determine which features within the Service are most or least effective or useful to you. In addition, we may periodically transmit system information to our servers in order to optimize your overall experience with the Service. We may share aggregated and anonymous user experience information with service providers, contractors or other third parties to assist us with improving the Service and user experience, but any shared information will be consistent with Cisco's overall Privacy Statement and will not identify you personally in any way.”

You notice that they do not mention that they may provide information to the government without notifying you or allowing you to challenge the validity of the information request. At least not in this document.  

And, of course, there are the Hollywood “content providers” who are urging Internet Service Providers and hardware/software vendors to protect their aged and failing business model by building internal mechanisms to police their alleged copyrighted intellectual property – and erase it from your system if it is found. And this is the type of device which would allow them to obtain access should their lobbyists bribe enough legislators to hide this provision in a “must pass” piece of legislation.

Notice they grant themselves immunity and  insulate themselves from liability …

Like all other vendors, the legal fine print absolves the company of any liability beyond what you paid for the product.

But that’s not all …

Here is the ubiquitous “Other” section:

“When you use Cisco Connect Cloud, you are subject to the applicable End User License Agreement and Terms of Service, as well as the overall Cisco Privacy Statement. Please see Support if you have questions about this service.”

As if you are going to read multiple fine-print legal agreements when you pick up that device at the local computer store?

Computer infrastructure and  the government …

As we have seen from the recent events involving the President of the United States and his gun-running Attorney General, Eric Holder, the government often holds themselves to be above the law and unaccountable for their actions.

And it  appears that the government (local, state and federal) may no longer need physical access to your computer in order to install a key-logger or other device to harvest your passwords and gain access to constitutionally-protected information. They need only push system-level software down-line to your infrastructure routers where it cannot be easily detected or removed. Sort of STUXNET and FLAME targeted at every politically active American.

So I ask you …

So I ask you, what company – with multi-million dollar government contracts at stake – is willing to challenge and resist their “official” or “unofficial” information requests?

And should legal or physical harm come to you or your family as a result of an information breach or inappropriate sharing with unknown third-parties, be completely insulated from the results of their actions by pointing to the voluntary agreement you signed when you purchased the device.

Why?

Why would anyone want to run applications involving their router when applications should be run on your primary device, preferably in a protective sandbox?

Why would anyone want to subvert their own security by adding a layer of connectivity to third-party applications that may  not be monitored by the user and may be beyond user control?

Bottom line …

As we have seen, various Internet-related companies are struggling to monetize your information by selling advertisers access to targeted consumers based on demographic/psychographic (lifestyle) information.

These firms have contractually insulated themselves from the consequences of their actions – including negligence – and cannot be trusted to put the consumer’s privacy needs over their corporate best interests.

And while it is true that your ISP (Internet Service Provider) has a complete record of your Internet Activity,  which is discoverable by the government or private parties engaged in legal actions, I see no reason to voluntarily surrender the very same information to an unaffiliated third-party who happens to sell me a communications product. Especially when they appear to be selling the ability to police content to Hollywood’s content providers who consider downloading any file, even those in the public domain which they protect with an electronic wrapper, to be tantamount to treason.

But like all things in life, there are trade-offs. Security for convenience; security for loss of freedom and the illusion of security for absolutely nothing in return. The choice is yours.

What we really need, and what the government and most companies fear, is a comprehensive Privacy Bill of Rights with criminal penalties for those who go beyond the bounds of the law. To this end, I strongly suggest that you may wish to join the Electronic Frontier Foundation (www.eff.org) and participate in their privacy projects.

What company can you trust to provide a firewall which keeps all unauthorized intruders from your system? If you find out the answer, let me know.

-- steve

Reference Links …

Cisco Connect Cloud Supplement - Cisco Systems

Cisco Pushing 'Cloud Connect' Router Firmware, Allows Web History Tracking